Page 204 - Cyber Defense eMagazine June 2024
P. 204
Vulnerability Management
Clear and comprehensive policies and procedures regarding vulnerability management must now be
documented. These should include preventative procedures like internal and external penetration testing,
frequent system scans for vulnerabilities, and timely addressing of those vulnerabilities once identified
by security controls planned or in place. These assessments must be updated annually, or whenever
there is a change to the business or its utilized technology that impacts the institution’s risk.
Data Protections
Speaking of preventative measures, the new regulation is more specific about the kinds of basic security
measures required of all financial institutions. For example, access privileges must be strictly enforced,
with certain data considered “privileged” based on security risk. Privileged information should be
safeguarded with password protection or user access permits that are evaluated and updated annually
or when there is a personnel departure.
Multi-factor authentication is another expectation that even covers those technically “exempt” from the
new regulations. This standard should be applied to all privileged data, as well as in cases of remote
access to the entity’s own information systems or that of third-party applications. Encryption is another
tool deemed acceptable and recommended by regulatory bodies.
Incident Response
Unfortunately, even the best laid plans can fail, especially in the everchanging digital world we now live
in. Due to this, 23 NYCRR Part 500 lays out clear expectations on how entities must prepare and respond
to a cybersecurity event or incident. Under the new guidance, financial institutions are required to develop
thorough, documented response plans that highlight goals, root cause analysis procedures, and internal
processes to follow in the event of a cyber breach. Disaster recovery and business continuity plans should
also include data backup procedures and recovery approaches, and once finalized, be distributed to all
employees and tested regularly.
After a breach occurs, entities are required to notify the New York State Department of Financial Services
within 72 hours – or 24 hours in cases of extortion payments – providing all relevant and requested
documentation. Entities, and more specifically, the CISO, must also proactively provide written
acknowledgment if they did NOT comply with regulatory requirements regarding the incident, and share
a remediation plan.
Monitoring and Training
Human error poses the biggest risk to not only the cybersecurity of an entity, but in the maintenance of
compliance. To avoid the consequences of human error, financial institutions must take necessary steps
to block malicious content on devices, monitor web traffic, and implement other risk-based controls.
Cyber Defense eMagazine – June 2024 Edition 204
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.